Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0) |
Part I Directory Server Administration
2. Directory Server Instances and Suffixes
3. Directory Server Configuration
Using SSL With Directory Server
To View the Default Self-Signed Certificate
To Manage Self-Signed Certificates
To Request a CA-Signed Server Certificate
To Add the CA-Signed Server Certificate and the Trusted CA Certificate
To Renew an Expired CA-Signed Server Certificate
To Export and Import a CA-Signed Server Certificate
Configuring the Certificate Database Password
To Configure the Server So the User is Prompted for a Certificate Password
Backing Up and Restoring the Certificate Database for Directory Server
Configuring Credential Levels and Authentication Methods
Setting SASL Encryption Levels in Directory Server
SASL Authentication Through DIGEST-MD5
To Configure the DIGEST-MD5 Mechanism
SASL Authentication Through GSSAPI
To Configure the Kerberos System
To Configure the GSSAPI Mechanism
Configuring LDAP Clients to Use Security
Using SASL DIGEST-MD5 in Clients
Specifying Environment Variables
Examples of the ldapsearch Command
Using Kerberos SASL GSSAPI in Clients
To Configure Kerberos V5 on a Host
To Specify SASL Options for Kerberos Authentication
Example Configuration of Kerberos Authentication Using GSSAPI With SASL
Configuring PTA to Use a Secure Connection
Setting the Optional Connection Parameters
Specifying Multiple Servers and Subtrees
6. Directory Server Access Control
7. Directory Server Password Policy
8. Directory Server Backup and Restore
9. Directory Server Groups, Roles, and CoS
10. Directory Server Replication
13. Directory Server Attribute Value Uniqueness
15. Directory Server Monitoring
Part II Directory Proxy Server Administration
16. Directory Proxy Server Tools
17. Directory Proxy Server Instances
19. Directory Proxy Server Certificates
20. Directory Proxy Server Load Balancing and Client Affinity
21. Directory Proxy Server Distribution
22. Directory Proxy Server Virtualization
23. Virtual Data Transformations
24. Connections Between Directory Proxy Server and Back-End LDAP Servers
25. Connections Between Clients and Directory Proxy Server
26. Directory Proxy Server Client Authentication
27. Directory Proxy Server Logging
28. Directory Proxy Server Monitoring and Alerts
Part III Directory Service Control Center Administration
This section contains procedures that help you to choose encryption ciphers.
When a server instance is created, both an LDAP clear port and a secure LDAP port (LDAPS) are created by default. However, there might be situations where you want to disable non-SSL communications so that the server communicates only through SSL.
The SSL connection is enabled with a default self-signed certificate. If you want to, you can install your own certificates. For instructions on managing certificates and disabling SSL after the server has been started, see Chapter 5, Directory Server Security. For an overview of certificates, certificate databases, and obtaining a CA-signed server certificate, see Oracle Directory Server Enterprise Edition Reference.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
To disable the non secure point, you must bind to the LDAP secure port. This example shows a bind to the default LDAP secure port, 1636, on the host server host1.
$ dsconf set-server-prop -h host1 -P 1636 ldap-port:disabled
$ dsadm restart /local/dsInst
You can now no longer bind on the non secure port 1389.
A cipher is the algorithm used to encrypt and decrypt data. Generally speaking, the more bits that a cipher uses during encryption, the stronger or more secure the encryption is. Ciphers for SSL are also identified by the type of message authentication used. Message authentication is another algorithm that computes a checksum that guarantees data integrity.
When a client initiates an SSL connection with a server, the client and server must agree on a cipher to use to encrypt information. In any two-way encryption process, both parties must use the same cipher. The cipher used depends upon the current order of the cipher list kept by the server. The server chooses the first cipher presented by the client that matches a cipher in its list. The default cipher value for Directory Server is all, which means all known secure ciphers supported by the underlying SSL library. However, you can modify this value to only accept certain ciphers.
For more information about the ciphers that are available with Directory Server, see Oracle Directory Server Enterprise Edition Reference.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dsconf get-server-prop -h host -p port ssl-supported-ciphers ssl-supported-ciphers : TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ssl-supported-ciphers : TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ssl-supported-ciphers : TLS_DHE_RSA_WITH_AES_256_CBC_SHA ssl-supported-ciphers : TLS_DHE_DSS_WITH_AES_256_CBC_SHA ...
See Exporting to LDIF.
$ dsconf set-server-prop -h host -p port ssl-cipher-family:cipher
For example, to set the cipher family to SSL_RSA_WITH_RC4_128_MD5 and SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, type:
$ dsconf set-server-prop -h host1 -P 1636 ssl-cipher-family:SSL_RSA_WITH_RC4_128_MD5 \ ssl-cipher-family:SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA Enter "cn=Directory Manager" password: Before setting SSL configuration, export Directory Server data. Do you want to continue [y/n] ? y Directory Server must be restarted for changes to take effect.
If you already have a list of ciphers specified, and you want to add a cipher, use this command:
$ dsconf set-server-prop -h host -p port ssl-cipher-family+:cipher
For example, to add the SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA cipher, type:
$ dsconf set-server-prop -h host1 -P 1636 \ ssl-cipher-family+:SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
$ dsadm restart /local/dsInst